Healthcare organizations should steer clear of connecting internet of things devices to their networks unless they serve a precise medical purpose, says attorney Julia Hesse.
"There was a rise a few years ago ... of internet connected light bulbs and internet connected beds," she notes in an interview with Information Security Media Group. "From our perspective, the security risks associated with allowing that type of networked device outweigh the patient care benefits, at least until those products have more robust security provisions."
If healthcare entities prefer not to ban all nonmedical IoT devices from their environments, it's essential that they closely scrutinize the security risks, Hesse advises.
"We're seeing regulators expecting healthcare providers to be monitoring all of the traffic on their networks and conducting security assessments associated with that network traffic," the attorney notes.
"If there's an IoT device that's connected on the network, that healthcare provider will be expected to have known that and have done some level of risk assessment," says Hesse, who is a featured speaker presenting on security threats and risk analysis at the HIMSS19 conference in Orlando, Florida this week.
In the interview, (see audio link below photo), Hesse also discusses:
IoT device privacy concerns; Patient data security risks and challenges related to cloud-based services; The top cybersecurity challenges facing healthcare entities in 2019.Hesse is a partner in the healthcare group at the Boston-based law firm Choate Hall & Stewart. She guides clients through joint ventures, mergers and acquisitions, and counsels on HIPAA and patient data privacy, governance matters, regulatory issues and the federal fraud and abuse laws. Previously, Hesse served as associate general counsel to Tufts Medical Center. She has was the vice chair of the eHealth Privacy & Security Interest Group of the American Bar Association and co-chair of the Boston Bar Association Health Law Section.